5 App Security Leak Points Every Mobile Developer Should Know How to Plug
By Doug Sillars
Security leaks: they seem more common every day. In fact, I think that most tech journalists have a stock headline that they can fill out like the Mad-Libs we knew as kids:
[Data breach|hackers] at <major company name> causes loss of <large number> of <type of personal data> affecting <another large number> of customers.
As a mobile app developer, it is our goal to build excellent apps with amazing interfaces and experiences for our customers. With smartphones, we have unprecedented access to information about our users, but it is also crucial that we ensure that we protect our customer’s data appropriately. In March 2015, IBM found that 40% of all mobile developers do not perform security testing of their mobile apps. It may be that they don’t know where to begin. Here are 5 places to begin studying how to secure your mobile app.
5 Simple Ways to Check Mobile App Security
When we talk about security in mobile applications, there are a few common app security leak points that are easy to stem.
- I have seen policies that said (and this is a paraphrase of the exact terms): “we collect your customer’s e-mail address, but have no plans to ever use it.” From a security perspective, this is a leak waiting to happen. If you have no need to collect private information – do not collect it.
- I have seen libraries say “we collect personal information like contact lists, phone call records and we also collect non-personal data like location.”
- Turn off debug messages to the system log. In Android, it is common to debug your application by writing debug messages into the system logs, and then monitor your log files. Most developers successfully turn these off using Lint or other build tools, but some developers miss this.
- On Android, if your customers are using Jelly Bean or later, and are not rooted, you are probably ok. However, any application on rooted devices or on devices running Ice Cream Sandwich and earlier can read the system logs to find information from your app.
- Use HTTPS to transmit a customer’s personal data. If you are transmitting your customer’s personal data from the app to the server, it should be sent using HTTPS to prevent any eavesdropping on the connection between the two parties. Further, you should test your connectivity with nogotofail to ensure that your app is protected from the latest HTTPS security breaches.
- Perform penetration tests to identify vulnerabilities in your app. If your application becomes popular, other apps may attempt to find activities or receivers that are exposed to external applications, and then use them to extract data from your application. Tools like Drozer can help you find vulnerabilities in your application, so that you can close them before they are exploited.
- Store customer data on a secure server. This tip goes beyond the scope of mobile apps: if your server where you store customer data is not secure, you leave all of your customer data exposed. Make sure that your APIs are locked down to prevent data leakage, and that you protect the databases of information securely.
In conclusion, it is up to you – as the developer – to ensure that the data you collect in your application is secured from “the bad guys.” As you work to become the “next big app,” don’t forget to work just as hard to avoid becoming the “next big app to accidently release personal customer information.”
Photo courtesy of FaceMePls via Flickr